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SPLIT-KEY KEY-AGREEMENT PROTOCOL 

The present invention relates to the field of key agreement protocols in cryptographic 
systems. 

5 

BACKGROUND OF THE INVENTION 

Traditionally, entities communicated on paper and were able to ensure privacy in many 
ways. The transition from paper to electronic media however, has created the need for 
electronic privacy and authenticity. In cryptographic schemes, the entities use primitives, which 

1 0 are mathematical operations together with encoding and formatting techniques to provide 
security. For each scheme the parties participating in the scheme normally agree upon or 
exchange certain information before executing the scheme fiinction. The specific information 
that needs to be agreed upon is detailed for each scheme. Such agreement may be achieved by 
any means suitable for the appUcation. It may be unplicitly built into the system or explicitly 

1 5 achieved by some sort of exchange of infoimation with or without mvolvement from other 
parties. In particular, parties often need to agree on parameters and obtain each o&er's public 
keys. For proper security, a party needs to be assured of the true owners of the keys and 
parameters and of their validity. Generation of parameters and keys needs to be performed 
properly and, m some cases, verification needs to be performed. 

20 In general, the different types of schemes may be defined as follows. Key agreement 

schemes, in which two parties use their pubHc, private key pairs and possibly other information, 
to agree on a shared secret key. A signature scheme with appendix is a scheme in which one 
party signs a message using its private key and any other party can verify the signature by 
examining the message, the signature, and the signer's cross corresponding public key, In 

25 signature schanes with message recovery, one party signs a message usuig its private key and 
any other party can verify the signature and recover the message by examimng the signature and 
the signer's corresponding public keys Finally, in encryption schemes, any party can encrypt a 
message usmg the recipient's public key and only the recipient can decrypt the message usmg its 
corresponding private key. 

30 An example of a key derivation scheme is the MQV (Menezes-Qu-Vanstone), In tiie 

MQV scheme, a shared secret value is derived firom one party's two key pairs and another 



1 



JUL-19-2000 11:30 



CRflNGE & CHAR I 



416 601 8454 P. 05/13 



party's two public keys where all the keys have the same discrete log (DL) parametere. In this 
generalized MQV scheme, it is assumed that the shared secret value is that which is shared 
between two parties. 

However, where each party or enti^ consists of a collection of parties say A = {Ai, 
5 A2. . .Art} and B = {Bi , B2, . . .B^} where m is not necessarily equal to n and at least one of m or n 
is at least two (that is, not both A and B consist of one individual), it is difficult to implement the 
generalized MQV scheme if these two entities wish to establish a common key m order to 
communicate privately. 

1 0 SUMMARY OF THE INVENTION 

Accordingly, the present invention seeks to provide a solution to the problem of 
establishing a common key for private communication between entities wherein the entities 
include a collection of sub entities. 

An advantage of the present invention is Ifaat all members of each entity must participate 
15 in the scheme and no subcoUection of either entity can impersonate its entire entity. 

In accordance with this mvention there is provided a method for generating a shared 
secret value between entities in a data communication system, one or more of the entities having 
a plurality of members for participation in the communication system, each member having a 
long tenn private key and a corresponding long term public key, the method comprising the steps 
20 of; 

(a) gaierating an entity long terai private key and corresponding entity long tenn public 
key for each entity by combining the long term private and public keys of each 
members of the entity. 

(b) generating a short term private and a corresponding short term public key for each of 
25 the members; 

(c) exchanging short tenn public keys of the members within an entity; 

(d) for each member: 

i. computing an intra-entity shared key by mathematically combining said short 
term public keys of each said member; 
'^^ ii- computmg an intra-entity public key by mathematically combining its short - 

terra private key, the long tenn private key and said intra-entity shared key; 

2 
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(e) for each entity combining intra-entity public keys to derive a group short-tenn public 
key; 

(f) each entity transmitting its intra-entity shared key and its group short term public key 
to said other entities; and 

(g) each entity computing a common shared key K by combming its group short term 
public key, with the intra-entity shared key, and an entity long term public key 
received from the other entity. 



10 BRIEF DESCRIPTION OF THE DRAWINGS 

A preferred embodiment of the invention will now be described by way of example only 
with reference to the accompany drawings in which: 
Figure 1 is a schematic diagram of a communication system; and 
Figure 2 is a schematic diagram illustrating the steps of a protocol to establish a common key. 

15 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Referring to figure 1, a schematic diagram of a communication system is shown generally 
by numeral 10. The system 10 includes a first entity A (12) and a second entity B (14) that 
exchange data over a communication channel 16. Each of the entities A and B include members 

20 Au A2...A„, and Bi, B2. . .Br, respectively. For convenience, the embodiment described has two 
members Ai, A2 and B|, B2 although it will be appreciated that typically each entity will have 
several members. It is assumed the entities A and B include processors for performing 
cryptogr^hic operations and the like. The members Ai, A2 may for example be a first group of 
users on a local area network (LAN) that wish to communicate securely with a second group of 

25 users Bi , B2 on a second LAN or even on the same LAN. In either case the computations may be 
performed for the entities A (12) and B (14) by for example a LAN server 18 or the like, 
provided that each member has its own secure boundary. 

Each entity and its associated members Ai, Bj have been initialized with the same system 
parameters. The system parameters for this exemplary protocol are an elliptic curve point P, 

30 which is the generating pomt of an elliptic curve over Fz* of order «. Additionally, each of the 
members is initialized with respective long-term public and private key pairs. That is, each of 
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the members Aj has long term private and public key pairs (ai, aiP) and each of the member Bi 
have long term private and pubhc key pairs (bi, biP), respectively. 

Each of the entities A, B generates respective long-term public keys derived from the 
long-term public keys of each of its members. The long-term private key a of the entity A is then 
5 (aj 4- a2 + . * * an) and its corresponding long-term public key, aP, is {ai + a2 + . - . an) In the 
present example the key pair (a, aP) of entity A is (aj + 32) ; (ai + a2)P, Similarly^ for entity B its 
long-term private key b is (bi + b2) and its corresponding long-term public key is bP (b] + bz) P. 
The entity long-term public keys aP, bP can be computed by summing the members public keys. 
The entity public keys are published by the respective entities, and if appropriate certified by a 
10 trusted authority or CA trusted by all of the entities* 

Typically, entities A (12) and B (14) wish to agree upon a common key, which may then 
be used for subsequent cryptographic communications between the activities. 

Referring thus to figure 2, a schematic diagram of an embodiment of a suitable protocol 
is shown generally by numeral 40. The member Ai generates a random value Xi ( its short-term 
1 5 private key, also known as ephemeral or session key) and computes a corresponduig value xiP 
(its short-term public key); similarly, member A2 generates a random value Xi and computes a 
corresponding value x^P. Preferably 0 < a^ < n-I and 0 < Xi < n-L Next> the members of the entity 
A exchange their session public keys XjP, In the present example, A2 and Ai exchange their 
session public keys xiP and X2P denoted Xi and X2 respectively. This may be termed a first 
20 intra-entity key exchange. 

Next, member Ai computes r XiP + XjP and similarly, entity Aj computes r = X2P + xjP. 
Thus, establishes an intra-entity shared key available and containing a contribution from each 
member of the entity. 

The entity A transmits the intra-entity shared key r to the entity B with whom it wishes to 
25 establish a common key K. 

Next, member A] computes a short term intra-entity public key si using its short term 
private key and long term private key,combmed with a function f of the intra-entity public key, 
that is si = Xi + ai f (r) (mod n), where f is typically a hash function such as SHA-1 and n is the 
order of the curve. Similarly, member A2 computes its intra-entity public key S2 = X2 + a2 f (r) 
30 (mod a). 
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The entity A computes an entity or group short term public key, which is derived from a 
summation of the intra-entity public key of each member s = si + S2 = Xj-f + (ai + az) f (r) mod 
(n). 

The entity B similarly computes the analogous information uiing its own public and 
5 private keys using the same computations performed by entity A, Thus, each member of B 

computes a intra-entity shared key r using the short term public keys of each of the members and 
r is forwarded to entity A, Next, each of fee members in B compute their own intra-entity 
public key ti " yi + bi f ( r ) mod (n) and computes the group short-tenn public key t = ti + ta. 

The entity A then computes a value K which is the shared key between the entities A and 
10 B by retrieving the long term public key, bP, of entity B and computing K = s ( r + (bP) f ( r )) = 
s(t)P. The entity B also retrieves the long tenn public key aP of entity A and computes K using t, 
r, and aP, i,e. K = t(r + aP.{(r)) = t(s)P, 

Consequently, if a member of the entity A, either Ai or A2, is not present in the scheme 
then the group short term public key, s, changes, as does the value for K. Therefore, 
1 5 communication with entity B would not be successful without establishing a new session. 

Similarly, if either Bj or B^ is not present in the scheme then the group short term pubhc key, t, 
changes, altering the value of K. In this case, communication with A would not be successful 
without establishing a new session. 

Accordingly, the present protocol ensures that all members of each entity must participate 
20 in the scheme and no sub-collection of either entity can impersonate its entire entity* 

Although the above scheme has been described with respect to the elliptic curve systems 
which is an additive group, it may analogously be used in multiplicative groups. Furthermore the 
ahove protocol although exemplified with two members per entity, may be generalized where 
each party or entity consists of a collection of members say A *= { Ai, A2, . .K) and B = {Bi , B2, 
25 , . .B^} where m is not necessarily equal to n and at least one of m or n is at least two (that is, not 
both A and B consist of one individual)* 

Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art without 
departing from the spirit and scope of the invention as outlined in the claims appended hereto* 

30 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE PROPERTY 
OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1 . A method for generating a shared secret value between entities (A,B) in a data 

communication system, one or more of said entities having a plurality of members (Aj. BO for 
participation in said communication system, each member having a long term private key and 
a corresponding long term public key said method comprising the steps of: 

(a) generating an entity long term private key and corresponding entity long term public 
key for each entity by combining the long term private and public keys of each 
members of the entity. 

(b) generating a short term private and a corresponding short term public key for each of 
the members; 

(c) exchangmg short term public keys of the members within an entity; 

(d) for each member; 

i. computing an intra-entity shared key by mathematically combining said short 
term public keys of each said member; 

ii. computing an intra-entity public key by mathematically combining its short - 
term private key, the long term private key and said intra-entity shared key; 

(e) for each entity combining intra-entity public keys to derive a group short-temi public 
key; 

(f) each entity transmitting its intra-entity shared key and its group short teim public key 
to said other entities; and 

(g) each entity computing a common shared key K by combining its group short term 
public key, with the intra-entity shared key, and an entity long term public key 
received from the other entity. 

2. A method as defined in claim 1 , said long term public key being derived from a generator 
point P and re^ective ones of said long term private keys. 

3. A method as defined in claim 2, said step (a) including each member sel«jting a random 
integer Xj and multiplying said point P by a to obtain XjP, the short term public key, 
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4, A method as defined in claim 3, said intra-entity-shared key being computed by summing 
said short term public keys. 

5. A method as defined in claim 4. said intra-entity public key si being derived by computing 
Si= Xi + ai £(ZxiP), where f is a hash function. 

6* A method as defined in claim 5, said group short term public key being derived by 
computing Z Si . 

7. A method as defined in claim 1, said long term public keys being derived from a generator g 
and respective ones of said long term private keys. 

8. A method as defined in claim 7, said step (a) including the step of each member selecting a 
random integer (xy ) and exponentiating a function h(g) including said generator to a power 
g(xij) to obtain the short term public key Xy = h(g) ^^"^K 

9. A method as defined in claim 8, said intra-entity shared key (Xi) being computed by each 
entity multiplying each of its short-term pubhc keys together, 

10. A method as defined in claim 1, including the step of exchanging the entity long term public 
key betv/een entities. 

1 L A method as defined in claim 10, each entity computing a common shared key K by 

combining its group short terni public key (SiX with the intra-entity shared key (Xi ) , and an 
entity long term public key received from the other entity. 
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ABSTRACT 

This invention relates to a method for generating a shared secret value between entities in a data 
communication system, one or more of the entities having a plurality of members for 
participation in the communication system, each member having a long term private key and a 
corresponding long term public key. The method comprises the steps of generating a short term 
private and a corresponding short term public key for each of the members; exchanging short 
term public keys of the members within an entity. For each member then computing an intra- 
entity shared key by mathematically combining the short term public keys of each the members 
computing an intra-entity public key by mathematically combining its short-term private key, the 
long term private key and the intra-entity shared key. Next, each entity combines intra-entity 
public keys to derive a group short-term Si public key; each entity transmitting its intra-entity 
shared key and its group short term public key to the other entities; and each entity computing a 
common shared key K by combkdng its group short term public key (SO, with the intra-entity 
shared key (Xi ) , and a group short term public (S\ ) key received from the other entities. 
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